< ciso
brief />
Tag Banner

All news with #cryptojacking tag

38 articles

AI gateway compromise raises cloud security concerns

🔒 Researchers report an AWS EC2 instance acting as a LiteLLM proxy for Amazon Bedrock was compromised and used to deploy XMRig cryptomining malware. The intrusion highlights risk from AI gateways that centralize identities, permissions, and model access, making them high-value targets. Analysts observed SSH exposure, probable brute-force attempts, and suspicious IAM activity tied to model enumeration and persistence efforts. Darktrace assisted in timely detection and containment while urging tighter controls and telemetry correlation.
read more →

International takedown of AudiA6 crypto laundering service

🔎 An international law enforcement operation dismantled the AudiA6 cryptocurrency laundering service, suspected of moving more than €336m for ransomware gangs and other cybercriminals between 2022 and 2025. The probe identified an industrial-scale laundering scheme that used thousands of stolen identities and money mules to obfuscate funds. Arrests, domain seizures and frozen crypto followed coordinated actions across Europe, the US and Georgia.
read more →

GPU-mining campaign uses SEO and AI for delivery

🛡️ Microsoft uncovered a targeted cryptojacking campaign that lures owners of high-performance PCs to malicious download pages for utilities like CrystalDiskInfo and HWMonitor. The attackers used SEO poisoning and, in some cases, manipulated AI chatbots to surface attacker-controlled download links. Infected ZIP archives include legitimate utilities and a malicious DLL that installs the ScreenConnect remote access tool, enabling persistent access and deployment of a process-hollowing loader that ultimately launches GPU miners.
read more →

Microsoft warns of AI‑assisted cryptojacking campaign

🛡️ Microsoft warns of an active cryptojacking campaign that leverages AI chatbot interactions to surface malicious download sites. The attacks impersonate legitimate utilities and target high-performance GPU systems, using ZIP archives with sideloaded rogue DLLs to install ScreenConnect and deliver GPU miners. The campaign establishes persistent remote access, configures Defender exclusions, and supports multiple miners while evading analysis tools.
read more →

Detecting and Preventing Crypto Mining in AWS Environments

🔎 Amazon GuardDuty provides specialized detections and runtime monitoring to identify and mitigate cryptocurrency mining in AWS. It analyzes VPC Flow Logs, DNS queries, CloudTrail events, and workload telemetry to surface findings such as CryptoCurrency:Runtime/BitcoinTool.B and Impact:Runtime/CryptoMinerExecuted. Enable GuardDuty across accounts and Regions and combine it with patching, least-privilege access, and preventive controls to reduce risk.
read more →

Crypto gang member gets 78 months for $230M heist probe

🔒 A 20-year-old California man, Marlon Ferro (aka GothFerrari), was sentenced to 78 months in prison after pleading guilty to serving as a home invader and money launderer for a criminal ring that stole over $250 million in cryptocurrency. Arrested on May 13, 2025, Ferro was found carrying two firearms and a fraudulent ID and was ordered to pay $2.5 million in restitution and serve three years of supervised release. Authorities say the conspiracy combined social engineering, hacking attempts, and physical burglaries to seize hardware wallets and launder funds through exchanges and mixers.
read more →

Qinglong auth bypass flaws exploited for cryptomining

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.
read more →

Over 1,000 Exposed ComfyUI Instances Targeted — Miner Botnet

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.
read more →

Torg Grabber infostealer targets 728 crypto wallets

🔒 Gen Digital researchers describe a rapidly evolving info‑stealer named Torg Grabber that exfiltrates data from 850 browser extensions, including 728 cryptocurrency wallets. Initial access commonly uses a clipboard hijack and a ClickFix PowerShell trick; the payload runs in memory via reflective loading, direct syscalls and heavy obfuscation. Operators migrated exfiltration to HTTPS through Cloudflare and added an App‑Bound Encryption bypass to harvest Chromium cookie data.
read more →

Fake Resume Phishing Deploys Miners and Steals Credentials

📄 A targeted phishing campaign leverages fake French-language resumes containing heavily obfuscated Visual Basic Script droppers to steal enterprise credentials and deploy a Monero miner. The operation, tracked as FAUX#ELEVATE by Securonix, abuses legitimate services including Dropbox, compromised WordPress sites in Morocco for C2 configuration, and mail[.]ru SMTP accounts for exfiltration. The dropper uses sandbox-evasion techniques, a domain-join gate, and a persistent UAC loop to obtain admin privileges, disable defenses and execute its multi-stage toolkit rapidly.
read more →

BeatBanker and BTMOB Android trojans: infection tactics

🚨 BeatBanker is a sophisticated Android trojan targeting Brazilian users through counterfeit pages that mimic Google Play and legitimate services such as INSS Reembolso or Starlink. The malware installs in staged downloads, injects encrypted modules into RAM after device and country checks, and avoids analysis by detecting emulators. It deploys a Monero miner that evades power optimizers by playing near‑inaudible audio and uses Accessibility abuse to overlay screens and divert crypto transfers. Users should stick to official stores, scrutinize permissions, and run up‑to‑date anti‑malware.
read more →

BeatBanker Masquerades as Starlink App to Hijack Devices

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.
read more →

Wormable XMRig Campaign Uses BYOVD to Boost Hashrate

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.
read more →

Cryptojacking Campaign Uses Signed Driver to Boost Monero

🛡️ Trellix uncovered a multi-stage cryptojacking campaign that spreads via pirated software installers and deploys a customized XMRig miner alongside a stateful controller. The dropper installs a primary Explorer.exe controller and multiple watchdog processes for persistence, with a hardcoded expiry of December 23, 2025. Attackers load a signed vulnerable driver (WinRing0x64.sys/CVE-2020-14979) to gain kernel access and disable CPU prefetchers, boosting Monero RandomX performance by an estimated 15–50%. Researchers observed connections to the Kryptex pool and recommend enabling Microsoft's vulnerable driver blocklist, restricting USB access and blocking known mining pool traffic.
read more →

Threat actors hijack web traffic via React2Shell exploit

⚠️ Researchers at Datadog Security Labs report threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in React 19 to execute code on servers and then target NGINX instances managed with Boato Panel, focusing on several Asian TLDs and Chinese hosting. Attackers use automated, multi-stage toolkits to discover targets, persist, and write malicious NGINX configs that redirect traffic for cryptomining, credential phishing, or malware delivery. Defenses include prompt patching, locking down configuration files, maintaining configuration records, and monitoring NGINX advisories.
read more →

Hackers Hijack Exposed LLM Endpoints in Bizarre Bazaar

🔒 Researchers at Pillar Security recorded over 35,000 attack sessions in a 40-day window revealing a large-scale operation they call Bizarre Bazaar, an instance of LLMjacking that monetizes exposed LLM endpoints. The campaign targets misconfigured self-hosted models, unauthenticated APIs (notably Ollama on port 11434 and OpenAI-compatible services on port 8000), and publicly accessible MCP servers. Compromised endpoints are used for cryptocurrency mining, reselling API access through a marketplace dubbed silver[.]inc, data exfiltration, and lateral movement into internal systems.
read more →

Malicious PyPI Package Impersonates SymPy, Deploys Miner

🔍 A malicious PyPI package named sympy-dev was found impersonating SymPy, copying the legitimate project's description to trick users; it has been downloaded over 1,100 times since its January 17, 2026 publication. Socket's analysis shows select symbolic-math routines were modified to retrieve a remote JSON configuration and download an ELF payload that launches an XMRig miner. The backdoor executes the ELF binary directly in memory via memfd_create and /proc/self/fd to reduce on-disk artifacts and only triggers when specific polynomial functions are invoked to remain stealthy.
read more →

Misconfigured Demo Environments Become Cloud Backdoors

🔒 New research from Pentera Labs shows that internal testing, demo, and training applications left in default or misconfigured states are being used as entry points into enterprise cloud environments. The team found popular vulnerable apps such as Hackazon, DVWA, and OWASP Juice Shop exposed on major cloud platforms and sometimes tied to overly permissive IAM roles. Attackers have leveraged these exposures to deploy crypto miners, webshells, and persistence mechanisms; Pentera recommends inventorying assets, enforcing least privilege, isolating labs from production, and expiring temporary test environments.
read more →

RondoDox Botnet Exploits React2Shell to Hit Next.js

🔥 The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers and deploy malware, including coinminers and Mirai-like components. CloudSEK reports scanning began on December 8 with active deployments starting December 11, and Shadowserver counts over 94,000 exposed assets. The botnet also conducts hourly IoT exploitation waves to enroll routers and uses loaders that remove competing malware and enforce persistence.
read more →

Typosquatted MAS domain spread Cosmali PowerShell malware

⚠️A typosquatted domain impersonating the MAS Windows activation tool — get.activate.win instead of the legitimate get.activated.win — was used to serve malicious PowerShell scripts that deploy the Cosmali Loader. Victims reported intrusive pop-up warnings claiming a Cosmali infection after mistyping the domain while running activation commands. Researcher RussianPanda linked the loader to cryptomining utilities and the XWorm RAT. MAS maintainers urged users to verify commands, avoid retyping URLs, and test remote code in sandboxes before execution.
read more →